Personally I think we SHOULD keep returning data when we are using a protocol built specifically to transport data. I am struggling to see a reason for this to exist, and it almost feels like someone saying "I was sick of my REST API returning a bunch of boring old JSON!"
What a terrible idea this ui protocol is. MCP is already pretty much “prompt injection as a service “. This creates a little-known side channel to make it easier to slip an exploit under people’s radar.
I get where you’re coming from, but there are some security practices in place. The host client renders views inside a strictly sandboxed `<iframe>`. Any action the UI wants to take must pass an auditable message back to the host application, which triggers an explicit user-permission prompt.
I stumbled onto this capability while using the Spotify MCP App inside Claude. a fully functional, interactive playlist an dmusic player widget spin up inline, instead of a standard markdown list of text links. It turns out this is built on the official MCP Apps spec extension that Anthropic and OpenAI standardized a few months back. It lets your server declare a ui:// URI, which the host grabs and mounts inside a sandboxed iframee. Core mcp blew up overnight, but this extension still feels pretty underground. It makes me wonder if we're heading toward a weird shift where AI agents become the primary browsers of the web, and front-end dev becomes about building micro-widgets for LLMs instead of humans.
Not to continue piling on here but if we want to shift from a human consumer to an LLM consumer, I think the WORST thing you can do is obscure raw data behind some kind of "widget"
Personally I think we SHOULD keep returning data when we are using a protocol built specifically to transport data. I am struggling to see a reason for this to exist, and it almost feels like someone saying "I was sick of my REST API returning a bunch of boring old JSON!"
What a terrible idea this ui protocol is. MCP is already pretty much “prompt injection as a service “. This creates a little-known side channel to make it easier to slip an exploit under people’s radar.
I get where you’re coming from, but there are some security practices in place. The host client renders views inside a strictly sandboxed `<iframe>`. Any action the UI wants to take must pass an auditable message back to the host application, which triggers an explicit user-permission prompt.
I stumbled onto this capability while using the Spotify MCP App inside Claude. a fully functional, interactive playlist an dmusic player widget spin up inline, instead of a standard markdown list of text links. It turns out this is built on the official MCP Apps spec extension that Anthropic and OpenAI standardized a few months back. It lets your server declare a ui:// URI, which the host grabs and mounts inside a sandboxed iframee. Core mcp blew up overnight, but this extension still feels pretty underground. It makes me wonder if we're heading toward a weird shift where AI agents become the primary browsers of the web, and front-end dev becomes about building micro-widgets for LLMs instead of humans.
Not to continue piling on here but if we want to shift from a human consumer to an LLM consumer, I think the WORST thing you can do is obscure raw data behind some kind of "widget"